Nothing Special   »   [go: up one dir, main page]

US6327595B1 - Apparatus for securing and accessing data elements within a database - Google Patents

Apparatus for securing and accessing data elements within a database Download PDF

Info

Publication number
US6327595B1
US6327595B1 US09/476,942 US47694200A US6327595B1 US 6327595 B1 US6327595 B1 US 6327595B1 US 47694200 A US47694200 A US 47694200A US 6327595 B1 US6327595 B1 US 6327595B1
Authority
US
United States
Prior art keywords
secured
processing unit
symmetric key
data element
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
US09/476,942
Inventor
Patrick A. Lyson
Ron J. Vandergeest
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Entrust Corp
Original Assignee
Entrust Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Entrust Ltd filed Critical Entrust Ltd
Priority to US09/476,942 priority Critical patent/US6327595B1/en
Application granted granted Critical
Publication of US6327595B1 publication Critical patent/US6327595B1/en
Assigned to WELLS FARGO FOOTHILL, LLC reassignment WELLS FARGO FOOTHILL, LLC PATENT SECURITY AGREEMENT Assignors: BUSINESS SIGNATURES CORPORATION, CYGNACOM SOLUTIONS INC., ENCOMMERCE, INC., ENTRUST INTERNATIONAL LLC, ENTRUST LIMITED, ENTRUST, INC., HAC ACQUISITION CORPORATION, HAC HOLDINGS, INC., ORION SECURITY SOLUTIONS, INC.
Assigned to ENTRUST INC. reassignment ENTRUST INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LYSON, PATRICK A., VANDERGEEST, RON J.
Assigned to ENTRUST, INC., ENTRUST HOLDINGS, INC., ORION SECURITY SOLUTIONS, INC. reassignment ENTRUST, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: GOLUB CAPITAL LLC
Assigned to ENTRUST, INC., ENTRUST HOLDINGS, INC., ORION SECURITY SOLUTIONS, INC. reassignment ENTRUST, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: WELLS FARGO CAPITAL FINANCE, LLC
Anticipated expiration legal-status Critical
Assigned to BMO HARRIS BANK N.A., AS AGENT reassignment BMO HARRIS BANK N.A., AS AGENT SECURITY AGREEMENT Assignors: ENTRUST, INC.
Assigned to Entrust Corporation reassignment Entrust Corporation MERGER (SEE DOCUMENT FOR DETAILS). Assignors: ENTRUST, INC.
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99931Database or file accessing
    • Y10S707/99938Concurrency, e.g. lock management in shared database
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99931Database or file accessing
    • Y10S707/99939Privileged access
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99951File or database maintenance
    • Y10S707/99952Coherency, e.g. same view to multiple users

Definitions

  • the present invention relates generally to databases and more particularly to a method and apparatus for securing and accessing data elements within the database.
  • Databases typically allow a large amount of relational data to be stored, modified, updated, and retrieved in an efficient manner.
  • the relationship of data placed into a database may be done as a two-dimensional relationship, i.e., rows and columns, three-dimensional relationship, i.e., rows, columns, and depth, four-dimensional relationships, and beyond.
  • the columns typically represent data fields
  • the rows represent data content.
  • the data fields may include employee name, employee number, department number, phone, payroll information, security access levels, etc., while the data content of the rows includes the relevant information of a given employee.
  • the limited access may be achieved by physical limitations, i.e., the database is stored on a computer that is physically not available to unauthorized personnel.
  • the physical isolation of a database may be achieved by having the computer stored in a controlled access environment.
  • the database may be protected by passwords, and/or encrypted using a master symmetric key.
  • the master symmetric key technique secures each data element of the database based on a master symmetric key, but the master symmetric key is a clear text key such that if by unauthorized personnel obtained it, the unauthorized personnel could access the database. As such, any one having access to the symmetric key can access the database
  • FIG. 1 illustrates a schematic block diagram of a database system in accordance with the present invention
  • FIG. 2 illustrates a logic diagram of a method for securing data elements within a database in accordance with the present invention
  • FIG. 3 illustrates a logic diagram of a method for accessing secured data elements within a database in accordance with the present invention.
  • FIG. 4 illustrates a logic diagram of an alternate method for securing data elements in a database in accordance with the present invention.
  • the present invention provides a method and apparatus for securing and accessing data elements within a database. This may be accomplished by securing a symmetric key based on an encryption public key for the entire database or portions thereof.
  • the computing system may receive a data element for storage in a database.
  • the computing device retrieves the secured symmetric key and then decrypts it based on a decryption private key.
  • the decryption private key uniquely corresponds to the encryption public key that was used to secure the symmetric key.
  • the recaptured symmetric key is used to secure the data element.
  • the securing is done utilizing an encryption algorithm and the symmetric key, where the encryption algorithm, such as DES, is applied to encrypt the data. Once the data element has been secured, it is stored in the database.
  • a request for access must be received.
  • the computing device retrieves a secured data element in response to the request.
  • the secured data element has been secured based on a secured symmetric key, which is a symmetric key that was secured using an encryption public key associated with the requesting entity.
  • the secured symmetric key is retrieved and decrypted based on a decryption private key associated with the requesting entity.
  • the recaptured symmetric key is used in conjunction with a decryption algorithm, such as DES, to decrypt the data.
  • the recaptured data is then provided to the requesting entity.
  • the same symmetric key may be secured using a plurality of encryption public keys such that a plurality of entities, i.e., those associated with the encryption public keys, may request the securing of data elements. Further note that a plurality of symmetric keys may be secured based on a plurality of encryption public keys. With such a method and apparatus, access to a secured database is controlled via public key pairs without having to establish one wrapped symmetric key per secure data element. Thus, securing of data within a database is obtained with the further enhancement of controlling access to the database.
  • FIG. 1 illustrates a schematic block diagram of a computing device 10 that includes a central processing unit 12 , memory 14 , a data input/output port 16 , and a database 20 .
  • the central processing unit 12 includes a microprocessor, microcontroller, digital signal processor, a plurality thereof, and/or a combination thereof.
  • the memory 14 may be read-only memory, random access memory, floppy disk memory, hard disk memory, magnetic tape memory, CD ROM memory, DVD ROM memory, and/or any other device that stores digital information.
  • the database 20 is a random access memory, floppy disk memory, hard disk memory, magnetic tape memory, any other device that stores digital information, and/or any combination thereof.
  • the memory 14 stores a database control application 24 , a database security application 26 , at least one encryption public key certificate 34 , and at least one secured symmetric key 32 .
  • the database control application 24 is an application that controls the establishment and maintenance of database 20 .
  • the database application 24 may be a Microsoft AccessTM database, a Filemaker ProTM database, or any other commercially available or customized database algorithm.
  • the database security application 26 interfaces with the database control application 24 and performs the programming instructions illustrated in FIGS. 2 through 4, the details of which will be discussed subsequently.
  • the encryption public key certificate 34 includes an identity of the computing device 10 , an encryption public key for computing device 10 , and an Electronic signature of a certification authority issuing the certificate 34 .
  • the certification authority controls which other entities will have access to the database.
  • the operator of computing device 10 may be the only entity to have access to database 20 , or a plurality of entities may have access to the database, where the access is obtained through the Internet, local area network, wide area network, and/or other digital networking scheme.
  • entities may be different programming applications, such as a payroll application, encryption application, a human resources application, accounting application, etc.
  • the different entities may be different computers located at various sites through a network.
  • the database 20 includes a plurality of data elements 22 , which may be arranged into functional groupings of two-dimensional relationships, three-dimensional relationships, four-dimensional relationships, etc.
  • the database 20 is shown to have three sections, one for data-type A, one for data-type B, and the other for data type C.
  • the data type generally corresponds to relational data.
  • data-type A may be for company X
  • data-type B may be for company Y
  • data-type C may be for company Z.
  • Each grouping of rows includes a plurality of columns, one for employee data, another for security information, and a third for payroll information.
  • the employee data may include the employee name, employee phone number, social security number, address, department number, etc.
  • the security information for an employee includes access to certain facilities, expenditure authority, signature authority, etc.
  • the payroll information includes information as to whether the employee is exempt or non-exempt, the employee wages, bonus structures, taxing information, and other relevant payroll information.
  • the three groupings, data-type A, B, and C may each have a separate symmetric key for accessing data elements within those areas of the database.
  • a symmetric key may be generated for the entire database, which would be used by a system administration or other such entity.
  • data-type A information is broken down into column groupings, data-type A-A, data-type A-B, data-type A-C.
  • each of these columns may have its own symmetric key, thereby controlling access to each section.
  • the data-type C group is broken into row groupings, data-type C-A, data-type C-B, data-type C-C and data-type C-xx, where each row grouping may have its own symmetric key.
  • the data type B section of the database is not divided into sub-groupings, thus one symmetric key may access the entire section.
  • the column grouping of data-type A-A may have its own symmetric key that is secured based on a single encryption public key or a plurality of encryption public keys. If it secured based on a single encryption public key, only one user can access the data (i.e., the user having the corresponding decryption private key). If the symmetric key is secured based on a plurality of encryption public keys, then each user having a corresponding decryption private key can access this section of the database. For example, each employee within a company may receive an encryption public key and a decryption private key pair. The information in column A-A may be secured with a symmetric key that is secured based on the encryption public key of each employee of the company.
  • each employee utilizing its decryption private key may decrypt the symmetric key and subsequently access data within column A-A.
  • the data in column A-A may be used as an employee directory for all employees to access. Further note that an employee may be given only read access to the data which may be controlled by the data control application 24 .
  • the data contained in column A-B which relates to security information, may be encrypted using the same or a different symmetric key that is further secured by a set of encryption public keys.
  • the set of encryption public keys may be assigned to corporate security officers and/or department heads. As such, only a few people are allowed to access (e.g., read, write, edit, etc.) security data within the database.
  • the third column of information A-C which relates to payroll information, may be secured with the same or different separate symmetric key that is further secured by a single encryption public key.
  • the single encryption public key may be owned by the manager of the payroll department such that only the manager of the payroll department may access the secured payroll data.
  • the grouping within data-type C allows for individual employees, based on their encryption public key, to access data related to them.
  • the employee relating to data-type C-A may utilize its encryption public key to decrypt a secured symmetric key, to obtain the data relating to itself.
  • the employee may only be given read privileges related to any or all of the data elements relating to him or herself. Note that the same private/public key pair could be shared among a group and not just individuals..
  • encryption public keys are assigned by a certification authority, which is operated by a trusted entity, (e.g., the company's security administrator).
  • a trusted entity e.g., the company's security administrator
  • the certification authority controls who has access to the database sense via the issuance of encryption public key pairs, wherein the database's symmetric key was secured via the encryption pubic key.
  • the symmetric key cannot be recaptured, thereby denying access to the database.
  • the amount of overhead needed to secure multiple items in the database is minimized.
  • FIG. 2 illustrates a logic diagram of a method for securing data within a database.
  • the process begins at step 40 where a symmetric key is secured based on an encryption public key or a plurality of encryption public keys.
  • a single encryption public key would be used if the entire database were only accessible to the entity associated with the encryption public key.
  • the encryption public keys for each of those entities would be used to secure the symmetric key i.e., produce a wrapped session key therefor.
  • an entity may be an individual user allowed accessing the computing device, a group and/or a software application.
  • step 42 a determination is made as to whether a data element has been received for storage in the database.
  • a data element may be a single bit of information, a byte of information or a plurality of bytes of information.
  • a plurality of data elements may store employee information.
  • a data element may exist for the employee's name, another for his or her address, etc. If a data element is not received for storage, the process waits until one is received.
  • step 44 the process proceeds to step 44 where the data is interpreted to determine its data-type. Having determined the data-type, the process proceeds to step 46 where a secured symmetric key is retrieved based on the data-type. Having retrieved the secured symmetric key, the process proceeds to step 48 where the secured symmetric key is decrypted based on a decryption private key that is associated with the data-type, and the entity requesting the data.
  • data within a database may be grouped in data-type groupings.
  • Such data-type groupings may be for relational data, such as employee information, payroll information, security information, etc.
  • data-types may be broken down between different companies, or divisions within a company.
  • a secured symmetric key may be secured by a single encryption public key such that only one entity is allowed to access the database, a group sharing the single encryption public key or from a plurality of encryption public keys such that each entity affiliated with the encryption public key may access the database.
  • a plurality of symmetric keys may be secured by a plurality of encryption public keys such that each entity associated with the encryption public key has its own symmetric key for securing data within a separate portion of the database.
  • step 50 the data element is secured based on the recaptured symmetric key using an encryption algorithm such as DES.
  • step 52 the secured data element is stored within the database.
  • step 54 the recaptured symmetric key is resecured after the secured data element has been stored.
  • the recaptured symmetric key may be resecured by destroying it, or by re-encrypting it using the appropriate encryption public key or a plurality of public encryption keys. Note that, to minimize exposure of the recaptured symmetric key, the recaptured symmetric key should be resecured as soon as possible after the data element is secured. This may also be done before the data element is stored.
  • FIG. 3 illustrates a logic diagram of a method for accessing secured data elements within the database.
  • the process begins at step 60 where a determination is made as to whether a request to receive access to a data element has been received. Once a request has been received, the process proceeds to step 62 where the data-type of the requested data element is determined. Such a determination may be made on the identity of the requesting entity. For example, from the illustration of FIG. 1, if an employee of company Z (which information is stored in data-type C), is desiring to access information, the system would recognize the identity of the requesting entity and determine the particular data-type therefrom.
  • step 64 a secured data element is retrieved from the database.
  • the secured data element was stored in the database based on a secured symmetric key. Such securing of the data element was described with reference to FIG. 2 and will be further described with reference to FIG. 4 .
  • the process then proceeds to step 66 where the secured symmetric key is retrieved based on the data-type.
  • the secure symmetric key is secured based on an encryption public key, which is bound to the data-type.
  • the data may be stored using a symmetric key, wherein the symmetric key is secured by an individual encryption public key or a plurality of encryption public keys.
  • portions of the database may be secured using one symmetric key while other portions may be secured using another symmetric key.
  • the corresponding decryption private key of the encryption key that produced the secured symmetric key is retrieved to decrypt the secured symmetric key. This is illustrated at step 68 .
  • the secured data element is decrypted utilizing the recaptured symmetric key.
  • the process then proceeds to step 72 where the recaptured data element is provided to the requesting entity. Having done this, the process proceeds to step 74 where the recaptured symmetric key is resecured after the data has been provided to the requesting entity.
  • FIG. 4 illustrates a logic diagram of an alternate method of securing data elements within a database.
  • the process begins at step 80 where a security parameter is encoded based on another security parameter to produce a secured security parameter.
  • the first type of security parameter may be a symmetric key and the other security parameter may be another symmetric key.
  • one symmetric key may be utilized to encrypt, or encode, the other symmetric key.
  • the first security parameter may be a symmetric key while the second security parameter may be an encryption public key. If a single entity is to be authorized to access the database, a single security parameter is encoded using the other security parameter.
  • the first security parameter may be encoded by a plurality of second security parameters. If portions of the database were to be made available to individual entities, the security parameters for each portion would be encoded using a corresponding second security parameter of the entity allowed to access the particular portion. As an alternative, if groups of entities are to be given access to portions of the database, the first security parameter for each portion of the database would be secured, or encoded, based on a group of second security parameters.
  • step 82 a determination is made as to whether a data element has been received for storage in the database.
  • step 84 the data is interpreted to determine its type.
  • step 86 a secured, security parameter is retrieved based on the data type.
  • step 88 the secured security parameter is decoded based on the other security parameter that is associated with the data type.
  • step 90 the data element is secured based on the recaptured first security parameter.
  • step 92 the secured data element is stored in the database.
  • step 94 the recaptured security parameter is resecured. The resecuring is done after the secured data element has been stored.
  • step 82 for storing another data element.
  • the programming instructions of FIGS. 2 through 4 may be stored on a memory device or a plurality of memory devices.
  • a memory device may be a read-only memory, random access memory, floppy disk memory, hard disk memory, magnetic tape memory, CD memory, DVD memory, and/or any other device which stores digital information. Further, the programming instructions of FIGS. 2 through 4 may be on a stand-alone memory device or in a memory device that is included in a computing device.
  • the preceding discussion has presented a method and apparatus for securing and accessing data elements within a database.
  • Such a method allows for controlling the access to the database without compromising security, while not adding undue amounts of storage overhead.
  • the control is established by encrypting symmetric keys using encryption public keys, which are granted by certification authorities. Such certification authorities, therefore, control which entities have access to the database.
  • the cost savings for overhead is related to having specific recaptured symmetric keys associated to data items or logical groupings of data items within the database.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

A method and apparatus for securing and accessing data elements within a database is accomplished by securing a symmetric key based on an encryption public key. This may be done for the entire database or portions thereof. Once a symmetric key is secured, the computing system may receive a data element for storage in a database. When a data element is received, the computing device retrieves the secured symmetric key and then decrypts it based on a decryption private key. Having decrypted the secured symmetric key, the recaptured symmetric key is used to secure the data element. The securing is done utilizing an encryption algorithm and the symmetric key. Once the data element has been secured, it is stored in the database. To retrieve a secured data element from the database, a request for access must be received. Once a request is received, the computing device retrieves a secured data element in response to the request. The secured data element has been secured based on a secured symmetric key wherein the secured symmetric key was secured based on an encryption public key associated with the requesting entity. Having retrieved the secured data element, the secured symmetric key is retrieved and decrypted based on a decryption private key. The recaptured symmetric key is used in conjunction with a decryption algorithm, such as DES, to decrypt the data. The recaptured data is then provided to the requesting entity.

Description

This patent application is a divisional patent application of co-pending patent application entitled METHOD AND APPARATUS FOR SECURING AND ACCESSING DATA ELEMENTS WITHIN A DATABASE, having a Ser. No. of 09/047,286, and a filing date of Mar. 24, 1998 now pending.
TECHNICAL FIELD OF THE INVENTION
The present invention relates generally to databases and more particularly to a method and apparatus for securing and accessing data elements within the database.
BACKGROUND OF THE INVENTION
The general structure and use of databases are known. Databases typically allow a large amount of relational data to be stored, modified, updated, and retrieved in an efficient manner. The relationship of data placed into a database may be done as a two-dimensional relationship, i.e., rows and columns, three-dimensional relationship, i.e., rows, columns, and depth, four-dimensional relationships, and beyond. In a two-dimensional database, the columns typically represent data fields, while the rows represent data content. For example, if a company uses a two-dimensional database to store employee information, the data fields may include employee name, employee number, department number, phone, payroll information, security access levels, etc., while the data content of the rows includes the relevant information of a given employee.
To protect data stored within a database, access to the database is limited. The limited access may be achieved by physical limitations, i.e., the database is stored on a computer that is physically not available to unauthorized personnel. The physical isolation of a database may be achieved by having the computer stored in a controlled access environment. Alternatively, the database may be protected by passwords, and/or encrypted using a master symmetric key.
While each of these methods controls access to a database, the security and limited access are not optimal. For example, the master symmetric key technique secures each data element of the database based on a master symmetric key, but the master symmetric key is a clear text key such that if by unauthorized personnel obtained it, the unauthorized personnel could access the database. As such, any one having access to the symmetric key can access the database
Having the computer that supports the database in a physically isolated environment is inconsistent with today's demands for data availability to a wide group of users. For example, many companies have facilities located throughout the world, wherein each facility requires access to certain pieces of information that may be stored within a database. Thus, if the database were contained in a physically isolated area, the remote sites would have no access to the information except to create their own. Once multiple copies of the same data are created, it is difficult to keep all copies current.
Therefore, a need exists for a method and apparatus that secures a database without the limitations of existing techniques.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates a schematic block diagram of a database system in accordance with the present invention;
FIG. 2 illustrates a logic diagram of a method for securing data elements within a database in accordance with the present invention;
FIG. 3 illustrates a logic diagram of a method for accessing secured data elements within a database in accordance with the present invention; and
FIG. 4 illustrates a logic diagram of an alternate method for securing data elements in a database in accordance with the present invention.
DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT
Generally, the present invention provides a method and apparatus for securing and accessing data elements within a database. This may be accomplished by securing a symmetric key based on an encryption public key for the entire database or portions thereof. Once a symmetric key is secured, the computing system may receive a data element for storage in a database. When a data element is received, the computing device retrieves the secured symmetric key and then decrypts it based on a decryption private key. The decryption private key uniquely corresponds to the encryption public key that was used to secure the symmetric key. Having decrypted the secured symmetric key, the recaptured symmetric key is used to secure the data element. The securing is done utilizing an encryption algorithm and the symmetric key, where the encryption algorithm, such as DES, is applied to encrypt the data. Once the data element has been secured, it is stored in the database.
To retrieve a secured data element from the database, a request for access must be received. Once a request is received, the computing device retrieves a secured data element in response to the request. The secured data element has been secured based on a secured symmetric key, which is a symmetric key that was secured using an encryption public key associated with the requesting entity. Having retrieved the secured data element, the secured symmetric key is retrieved and decrypted based on a decryption private key associated with the requesting entity. The recaptured symmetric key is used in conjunction with a decryption algorithm, such as DES, to decrypt the data. The recaptured data is then provided to the requesting entity. Note that the same symmetric key may be secured using a plurality of encryption public keys such that a plurality of entities, i.e., those associated with the encryption public keys, may request the securing of data elements. Further note that a plurality of symmetric keys may be secured based on a plurality of encryption public keys. With such a method and apparatus, access to a secured database is controlled via public key pairs without having to establish one wrapped symmetric key per secure data element. Thus, securing of data within a database is obtained with the further enhancement of controlling access to the database.
The present invention can be more fully described with reference to FIGS. 1 through 4. FIG. 1 illustrates a schematic block diagram of a computing device 10 that includes a central processing unit 12, memory 14, a data input/output port 16, and a database 20. The central processing unit 12 includes a microprocessor, microcontroller, digital signal processor, a plurality thereof, and/or a combination thereof. The memory 14 may be read-only memory, random access memory, floppy disk memory, hard disk memory, magnetic tape memory, CD ROM memory, DVD ROM memory, and/or any other device that stores digital information. The database 20 is a random access memory, floppy disk memory, hard disk memory, magnetic tape memory, any other device that stores digital information, and/or any combination thereof.
The memory 14 stores a database control application 24, a database security application 26, at least one encryption public key certificate 34, and at least one secured symmetric key 32. The database control application 24 is an application that controls the establishment and maintenance of database 20. For example, the database application 24 may be a Microsoft Access™ database, a Filemaker Pro™ database, or any other commercially available or customized database algorithm. The database security application 26 interfaces with the database control application 24 and performs the programming instructions illustrated in FIGS. 2 through 4, the details of which will be discussed subsequently.
The encryption public key certificate 34 includes an identity of the computing device 10, an encryption public key for computing device 10, and an Electronic signature of a certification authority issuing the certificate 34. By utilizing certificates, the certification authority controls which other entities will have access to the database. As such, the operator of computing device 10 may be the only entity to have access to database 20, or a plurality of entities may have access to the database, where the access is obtained through the Internet, local area network, wide area network, and/or other digital networking scheme. Such entities may be different programming applications, such as a payroll application, encryption application, a human resources application, accounting application, etc. Alternatively, the different entities may be different computers located at various sites through a network.
The database 20 includes a plurality of data elements 22, which may be arranged into functional groupings of two-dimensional relationships, three-dimensional relationships, four-dimensional relationships, etc. For illustration and example purposes, the database 20 is shown to have three sections, one for data-type A, one for data-type B, and the other for data type C. The data type generally corresponds to relational data. For example, data-type A may be for company X, while data-type B may be for company Y and data-type C may be for company Z. Each grouping of rows includes a plurality of columns, one for employee data, another for security information, and a third for payroll information. The employee data may include the employee name, employee phone number, social security number, address, department number, etc. The security information for an employee includes access to certain facilities, expenditure authority, signature authority, etc. The payroll information includes information as to whether the employee is exempt or non-exempt, the employee wages, bonus structures, taxing information, and other relevant payroll information.
As shown, the three groupings, data-type A, B, and C may each have a separate symmetric key for accessing data elements within those areas of the database. In addition, a symmetric key may be generated for the entire database, which would be used by a system administration or other such entity. In addition, data-type A information is broken down into column groupings, data-type A-A, data-type A-B, data-type A-C. Thus, each of these columns may have its own symmetric key, thereby controlling access to each section. The data-type C group is broken into row groupings, data-type C-A, data-type C-B, data-type C-C and data-type C-xx, where each row grouping may have its own symmetric key. The data type B section of the database is not divided into sub-groupings, thus one symmetric key may access the entire section.
As mentioned, the column grouping of data-type A-A may have its own symmetric key that is secured based on a single encryption public key or a plurality of encryption public keys. If it secured based on a single encryption public key, only one user can access the data (i.e., the user having the corresponding decryption private key). If the symmetric key is secured based on a plurality of encryption public keys, then each user having a corresponding decryption private key can access this section of the database. For example, each employee within a company may receive an encryption public key and a decryption private key pair. The information in column A-A may be secured with a symmetric key that is secured based on the encryption public key of each employee of the company. As such, each employee, utilizing its decryption private key may decrypt the symmetric key and subsequently access data within column A-A. In this manner, the data in column A-A may be used as an employee directory for all employees to access. Further note that an employee may be given only read access to the data which may be controlled by the data control application 24.
The data contained in column A-B, which relates to security information, may be encrypted using the same or a different symmetric key that is further secured by a set of encryption public keys. The set of encryption public keys may be assigned to corporate security officers and/or department heads. As such, only a few people are allowed to access (e.g., read, write, edit, etc.) security data within the database.
The third column of information A-C, which relates to payroll information, may be secured with the same or different separate symmetric key that is further secured by a single encryption public key. The single encryption public key may be owned by the manager of the payroll department such that only the manager of the payroll department may access the secured payroll data.
The grouping within data-type C, allows for individual employees, based on their encryption public key, to access data related to them. As such, the employee relating to data-type C-A, may utilize its encryption public key to decrypt a secured symmetric key, to obtain the data relating to itself. As with any database, the employee may only be given read privileges related to any or all of the data elements relating to him or herself. Note that the same private/public key pair could be shared among a group and not just individuals..
By utilizing an encryption public key to secure a symmetric key, the present invention allows a database to be secured with controlled access. As is known, encryption public keys are assigned by a certification authority, which is operated by a trusted entity, (e.g., the company's security administrator). As such, the certification authority controls who has access to the database sense via the issuance of encryption public key pairs, wherein the database's symmetric key was secured via the encryption pubic key. Thus, without the corresponding decryption private key, the symmetric key cannot be recaptured, thereby denying access to the database. In addition, by utilizing the same, recurring symmetric key and encryption public key in combination, the amount of overhead needed to secure multiple items in the database is minimized.
FIG. 2 illustrates a logic diagram of a method for securing data within a database. The process begins at step 40 where a symmetric key is secured based on an encryption public key or a plurality of encryption public keys. A single encryption public key would be used if the entire database were only accessible to the entity associated with the encryption public key. Alternatively, if other entities were to have access to the database, the encryption public keys for each of those entities would be used to secure the symmetric key i.e., produce a wrapped session key therefor. Note that an entity may be an individual user allowed accessing the computing device, a group and/or a software application.
Having secured the symmetric key, the process proceeds to step 42. At step 42, a determination is made as to whether a data element has been received for storage in the database. A data element may be a single bit of information, a byte of information or a plurality of bytes of information. For example, as mentioned with reference to FIG. 1, a plurality of data elements may store employee information. Thus, a data element may exist for the employee's name, another for his or her address, etc. If a data element is not received for storage, the process waits until one is received.
Once a data element is received for storage, the process proceeds to step 44 where the data is interpreted to determine its data-type. Having determined the data-type, the process proceeds to step 46 where a secured symmetric key is retrieved based on the data-type. Having retrieved the secured symmetric key, the process proceeds to step 48 where the secured symmetric key is decrypted based on a decryption private key that is associated with the data-type, and the entity requesting the data. As mentioned with reference to FIG. 1, data within a database may be grouped in data-type groupings.
Such data-type groupings may be for relational data, such as employee information, payroll information, security information, etc. In addition, data-types may be broken down between different companies, or divisions within a company. As such, a secured symmetric key may be secured by a single encryption public key such that only one entity is allowed to access the database, a group sharing the single encryption public key or from a plurality of encryption public keys such that each entity affiliated with the encryption public key may access the database. Additionally, a plurality of symmetric keys may be secured by a plurality of encryption public keys such that each entity associated with the encryption public key has its own symmetric key for securing data within a separate portion of the database.
Once the secured symmetric key has been decrypted, the process proceeds to step 50 where the data element is secured based on the recaptured symmetric key using an encryption algorithm such as DES. The process then proceeds to step 52 where the secured data element is stored within the database. The process then proceeds to step 54 where the recaptured symmetric key is resecured after the secured data element has been stored. The recaptured symmetric key may be resecured by destroying it, or by re-encrypting it using the appropriate encryption public key or a plurality of public encryption keys. Note that, to minimize exposure of the recaptured symmetric key, the recaptured symmetric key should be resecured as soon as possible after the data element is secured. This may also be done before the data element is stored.
FIG. 3 illustrates a logic diagram of a method for accessing secured data elements within the database. The process begins at step 60 where a determination is made as to whether a request to receive access to a data element has been received. Once a request has been received, the process proceeds to step 62 where the data-type of the requested data element is determined. Such a determination may be made on the identity of the requesting entity. For example, from the illustration of FIG. 1, if an employee of company Z (which information is stored in data-type C), is desiring to access information, the system would recognize the identity of the requesting entity and determine the particular data-type therefrom.
With the data-type identified, the process proceeds to step 64 where a secured data element is retrieved from the database. The secured data element was stored in the database based on a secured symmetric key. Such securing of the data element was described with reference to FIG. 2 and will be further described with reference to FIG. 4. The process then proceeds to step 66 where the secured symmetric key is retrieved based on the data-type. The secure symmetric key is secured based on an encryption public key, which is bound to the data-type. As mentioned with reference to FIG. 1, the data may be stored using a symmetric key, wherein the symmetric key is secured by an individual encryption public key or a plurality of encryption public keys. In addition, portions of the database may be secured using one symmetric key while other portions may be secured using another symmetric key. Depending on how the data was secured, i.e., which secured symmetric key was utilized, the corresponding decryption private key of the encryption key that produced the secured symmetric key is retrieved to decrypt the secured symmetric key. This is illustrated at step 68.
Once the symmetric key has been recaptured, the secured data element is decrypted utilizing the recaptured symmetric key. The process then proceeds to step 72 where the recaptured data element is provided to the requesting entity. Having done this, the process proceeds to step 74 where the recaptured symmetric key is resecured after the data has been provided to the requesting entity.
FIG. 4 illustrates a logic diagram of an alternate method of securing data elements within a database. The process begins at step 80 where a security parameter is encoded based on another security parameter to produce a secured security parameter. The first type of security parameter may be a symmetric key and the other security parameter may be another symmetric key. As such, one symmetric key may be utilized to encrypt, or encode, the other symmetric key. Alternatively, the first security parameter may be a symmetric key while the second security parameter may be an encryption public key. If a single entity is to be authorized to access the database, a single security parameter is encoded using the other security parameter. If, however, a plurality of users is allowed to access data within a database, the first security parameter may be encoded by a plurality of second security parameters. If portions of the database were to be made available to individual entities, the security parameters for each portion would be encoded using a corresponding second security parameter of the entity allowed to access the particular portion. As an alternative, if groups of entities are to be given access to portions of the database, the first security parameter for each portion of the database would be secured, or encoded, based on a group of second security parameters.
The process proceeds then to step 82 where a determination is made as to whether a data element has been received for storage in the database. Once a data element has been received, the process proceeds to step 84 where the data is interpreted to determine its type. Having determined the data-type, the process proceeds to step 86, where a secured, security parameter is retrieved based on the data type. The process then proceeds to step 88 where the secured security parameter is decoded based on the other security parameter that is associated with the data type. Having recaptured the first security parameter the process proceeds to step 90, where the data element is secured based on the recaptured first security parameter. The process then proceeds to step 92 where the secured data element is stored in the database. The process then proceeds to step 94 where the recaptured security parameter is resecured. The resecuring is done after the secured data element has been stored. The process then continues at step 82 for storing another data element.
The programming instructions of FIGS. 2 through 4 may be stored on a memory device or a plurality of memory devices. A memory device may be a read-only memory, random access memory, floppy disk memory, hard disk memory, magnetic tape memory, CD memory, DVD memory, and/or any other device which stores digital information. Further, the programming instructions of FIGS. 2 through 4 may be on a stand-alone memory device or in a memory device that is included in a computing device.
The preceding discussion has presented a method and apparatus for securing and accessing data elements within a database. Such a method allows for controlling the access to the database without compromising security, while not adding undue amounts of storage overhead. The control is established by encrypting symmetric keys using encryption public keys, which are granted by certification authorities. Such certification authorities, therefore, control which entities have access to the database. The cost savings for overhead is related to having specific recaptured symmetric keys associated to data items or logical groupings of data items within the database.

Claims (15)

What is claimed is:
1. A digital storage medium for storing programming instructions that, when read by a processing unit, causes the processing unit to secure a data element in a database that stores a plurality of data elements, the digital storage medium comprises:
first storage means for storing programming instructions that, when read by the processing unit, causes the processing unit, to encrypt a first security parameter based on a second security parameter to produce a secured first security parameter, wherein the first security parameter is associated with a first securing process, and wherein the second security parameter is associated with a second securing process;
second storage means for storing programming instructions that, when read by the processing unit, causes the processing unit, to receive a data element for storage in the database;
third storage means for storing programming instructions that, when read by the processing unit, causes the processing unit, to retrieve the secured first security parameter;
fourth storage means for storing programming instructions that, when read by the processing unit, causes the processing unit, to decrypt the secured first security parameter based on the second security parameter to recapture the first security parameter;
fifth storage means for storing programming instructions that, when read by the processing unit, causes the processing unit, to secure the data element based on the recaptured first security parameter to produce a secured data element within the database; and
sixth storage means for storing programming instructions that, when read by the processing unit, causes the processing unit, to store the secured data element in the database to produce a secured data element within the database.
2. The digital storage medium of claim 1 further comprises programming instructions that, when read by the processing unit, causes the processing unit to encode a first symmetric key based on a second symmetric key to produce the secured first security parameter.
3. The digital storage medium of claim 1 further comprises programming instructions that, when read by the processing unit, causes the processing unit to:
encode a symmetric key based on an encryption public key to produce the secured first security parameter; and
decoding the secured first security parameter based on a decryption private key to produce a recaptured symmetric key, wherein the decryption private key corresponds to the encryption public key.
4. The digital storage medium of claim 3 further comprises programming instructions that, when read by the processing unit, causes the processing unit to re-securing the recaptured symmetric key after the secured data element has been stored.
5. The digital storage medium of claim 3 further comprises programming instructions that, when read by the processing unit, causes the processing unit to:
receive a second data element;
secure the second data element based on the recaptured symmetric key to produce a second secured data element; and store the second secured data element in the database.
6. The digital storage medium of claim 3 further comprises programming instructions that, when read by the processing unit, causes the processing unit to:
interpret the data element to determine a data type; and
retrieve the secured symmetric key when the data element is of a first data type, wherein the secured first security parameter is bound to the first data type.
7. The digital storage medium of claim 6 further comprises programming instructions that, when read by the processing unit, causes the processing unit to:
retrieve a second secured symmetric key when the data element is of a second data type, wherein the second secured symmetric key is bound to the second data type, and wherein the second secured symmetric key is secured based on the encryption public key;
decrypting the second secured symmetric key based on the decryption private key to produce a second recaptured symmetric key; and
securing the data element based on the second recaptured symmetric key to produce the secured data element.
8. The digital storage medium of claim 6 further comprises programming instructions that, when read by the processing unit, causes the processing unit to:
retrieve a second secured symmetric key when the data element is of a second data type, wherein the second secured symmetric key is bound to the second data type, and wherein the second secured symmetric key is secured based on a second encryption public key; decrypt the second secured symmetric key based on a second decryption private key to produce a second recaptured symmetric key, wherein the second decryption private key corresponds to the second encryption public key; and
secure the data element based on the second recaptured symmetric key to produce the secured data element.
9. The digital storage medium of claim 6 further comprises programming instructions that, when read by the processing unit, causes the processing unit to:
within the first storage means, secure the symmetric key based on a plurality of encryption public keys to produce the secured first security parameter;
within the second storage means, receive the data element from a first entity, wherein the first entity is associated with one of the plurality of encryption public keys; and
within the fourth, decode the secured first security parameter based on a decryption private key associated with the one of the plurality of encryption public keys to produce the recaptured symmetric key.
10. A digital storage medium for storing programming instructions that, when read by a processing unit, cause the processing unit to access at least one data element that is stored in a database, the digital storage medium comprises:
first storage means for storing programming instructions that, when read by the processing unit, cause the processing unit to receive a request for access to at least one of a plurality of data elements from a requesting entity;
second storage means for storing programming instructions that, when read by the processing unit, cause the processing unit to retrieve a secured data element from within the database in response to the request, wherein the secured data element is secured based on a secured symmetric key;
third storage means for storing programming instructions that, when read by the processing unit, cause the processing unit to retrieve the secured symmetric key;
fourth storage means for storing programming instructions that, when read by the processing unit, cause the processing unit to decrypt the secured symmetric key based on a decryption private key to produce a recaptured symmetric key, wherein the secured symmetric key is secured based on an encryption public key that corresponds to the decryption private key;
fifth storage means for storing programming instructions that, when read by the processing unit, cause the processing unit, to recapture the data element from the secured data element based on the recaptured symmetric key to produce a recaptured data element; and
sixth storage means for storing programming instructions that, when read by the processing unit, cause the processing unit to provide the recaptured data element to the requesting entity.
11. The digital storage medium of claim 11 further comprises programming instructions that, when read by the processing unit, causes the processing unit to re-secure the recaptured symmetric key after the recaptured data element has been provided.
12. The digital storage medium of claim 11 further comprises programming instructions that, when read by the processing unit, causes the processing unit to:
retrieve a second secured data element in response to a second request;
recapture the second data from the second secured data element based on the recaptured symmetric key to produce a second recaptured data element; and
provide the second recaptured data element to the requesting entity.
13. The digital storage medium of claim 11 further comprises programming instructions that, when read by the processing unit, causes the processing unit to:
determine a data type based on the requesting entity; and
retrieve the secured symmetric key when the data element is of a first data type, wherein the secured symmetric key is bound to the first data type.
14. The digital storage medium of claim 13 further comprises programming instructions that, when read by the processing unit, causes the processing unit to:
retrieve a second secured symmetric key when the data element is of a second data type, wherein the second secured symmetric key is bound to the second data type, and wherein the second secured symmetric key is secured based on the public key;
decrypt the second secured symmetric key based on the decryption private key to produce a second recaptured symmetric key; and
recapture the data element from the secured data element based on the second recaptured symmetric key to produce the recaptured data element.
15. The digital storage medium of claim 13 further comprises programming instructions that, when read by the processing unit, causes the processing unit to:
retrieve a second secured symmetric key when the data element is of a second data type, wherein the second secured symmetric key is bound to the second data type, and wherein the second secured symmetric key is secured based on a second public key;
decrypt the second secured symmetric key based on a second decryption private key to produce a second recaptured symmetric key, wherein the second decryption private key corresponds to the second encryption public key; and
recapture the data element from the secured data element based on the second recaptured symmetric key to produce the recaptured data element.
US09/476,942 1998-03-24 2000-01-03 Apparatus for securing and accessing data elements within a database Expired - Lifetime US6327595B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US09/476,942 US6327595B1 (en) 1998-03-24 2000-01-03 Apparatus for securing and accessing data elements within a database

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/047,286 US6336121B1 (en) 1998-03-24 1998-03-24 Method and apparatus for securing and accessing data elements within a database
US09/476,942 US6327595B1 (en) 1998-03-24 2000-01-03 Apparatus for securing and accessing data elements within a database

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09/047,286 Division US6336121B1 (en) 1998-03-24 1998-03-24 Method and apparatus for securing and accessing data elements within a database

Publications (1)

Publication Number Publication Date
US6327595B1 true US6327595B1 (en) 2001-12-04

Family

ID=21948109

Family Applications (2)

Application Number Title Priority Date Filing Date
US09/047,286 Expired - Lifetime US6336121B1 (en) 1998-03-24 1998-03-24 Method and apparatus for securing and accessing data elements within a database
US09/476,942 Expired - Lifetime US6327595B1 (en) 1998-03-24 2000-01-03 Apparatus for securing and accessing data elements within a database

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US09/047,286 Expired - Lifetime US6336121B1 (en) 1998-03-24 1998-03-24 Method and apparatus for securing and accessing data elements within a database

Country Status (1)

Country Link
US (2) US6336121B1 (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020150243A1 (en) * 2001-04-12 2002-10-17 International Business Machines Corporation Method and system for controlled distribution of application code and content data within a computer network
US20040193882A1 (en) * 2003-03-26 2004-09-30 Authenticatid Corp. System, method and computer program product for authenticating a client
US20040255133A1 (en) * 2003-06-11 2004-12-16 Lei Chon Hei Method and apparatus for encrypting database columns
US20060053112A1 (en) * 2004-09-03 2006-03-09 Sybase, Inc. Database System Providing SQL Extensions for Automated Encryption and Decryption of Column Data
US7203834B1 (en) * 1999-12-02 2007-04-10 International Business Machines Corporation Method of updating encryption keys in a data communication system
US20070083928A1 (en) * 2001-11-23 2007-04-12 Ulf Mattsson Data security and intrusion detection
US20080033960A1 (en) * 2004-09-03 2008-02-07 Sybase, Inc. Database System Providing Encrypted Column Support for Applications
US7418098B1 (en) * 2000-11-27 2008-08-26 Protegrity Corporation Data type preserving encryption
WO2008121157A2 (en) * 2006-10-12 2008-10-09 Rsa Security Inc. Cryptographic key management system facilitating secure access of data portions to corresponding groups of users
US20100290623A1 (en) * 2007-08-17 2010-11-18 Sybase, Inc. Protection of encryption keys in a database
US20140090085A1 (en) * 2012-09-26 2014-03-27 Protegrity Corporation Database access control
US8769272B2 (en) 2008-04-02 2014-07-01 Protegrity Corporation Differential encryption utilizing trust modes
CN107563220A (en) * 2017-08-29 2018-01-09 湖南财政经济学院 A kind of computer based big data analysis and Control system and control method
US10127389B1 (en) * 2015-03-30 2018-11-13 Amazon Technologies, Inc. Performing operations on intelligent storage with hardened interfaces

Families Citing this family (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4051510B2 (en) * 1998-07-16 2008-02-27 ソニー株式会社 Data storage device and data storage method
US6754661B1 (en) * 1999-07-13 2004-06-22 Microsoft Corporation Hierarchical storage systems for holding evidentiary objects and methods of creating and operating upon hierarchical storage systems
US9607041B2 (en) * 1999-07-15 2017-03-28 Gula Consulting Limited Liability Company System and method for efficiently accessing internet resources
EP1238348B1 (en) * 1999-07-15 2004-01-28 Richard B. Himmelstein Communication device for efficiently accessing internet resources
SG103257A1 (en) * 2000-04-13 2004-04-29 Kent Ridge Digital Labs Private retrieval of digital objects
US6691209B1 (en) * 2000-05-26 2004-02-10 Emc Corporation Topological data categorization and formatting for a mass storage system
US7315859B2 (en) * 2000-12-15 2008-01-01 Oracle International Corp. Method and apparatus for management of encrypted data through role separation
US7472280B2 (en) * 2000-12-27 2008-12-30 Proxense, Llc Digital rights management
US6973576B2 (en) * 2000-12-27 2005-12-06 Margent Development, Llc Digital content security system
US20020080969A1 (en) * 2000-12-27 2002-06-27 Giobbi John J. Digital rights management system and method
US20030115351A1 (en) * 2001-12-14 2003-06-19 Giobbi John J. Digital content distribution system and method
US9613483B2 (en) 2000-12-27 2017-04-04 Proxense, Llc Personal digital key and receiver/decoder circuit system and method
US7305560B2 (en) * 2000-12-27 2007-12-04 Proxense, Llc Digital content security system
US7266699B2 (en) * 2001-08-30 2007-09-04 Application Security, Inc. Cryptographic infrastructure for encrypting a database
US20040167800A1 (en) * 2003-02-26 2004-08-26 Duke University Methods and systems for searching, displaying, and managing medical teaching cases in a medical teaching case database
US7636441B2 (en) * 2004-01-12 2009-12-22 Intel Corporation Method for secure key exchange
WO2005086802A2 (en) 2004-03-08 2005-09-22 Proxense, Llc Linked account system using personal digital key (pdk-las)
CA2591751A1 (en) 2004-12-20 2006-06-29 Proxense, Llc Biometric personal data key (pdk) authentication
US8799680B2 (en) * 2005-09-15 2014-08-05 Microsoft Corporation Transactional sealed storage
US8433919B2 (en) 2005-11-30 2013-04-30 Proxense, Llc Two-level authentication for secure transactions
US9113464B2 (en) 2006-01-06 2015-08-18 Proxense, Llc Dynamic cell size variation via wireless link parameter adjustment
US11206664B2 (en) 2006-01-06 2021-12-21 Proxense, Llc Wireless network synchronization of cells and client devices on a network
US7751570B2 (en) * 2006-04-04 2010-07-06 Oracle International Corporation Method and apparatus for managing cryptographic keys
US7853466B2 (en) * 2006-09-08 2010-12-14 Gm Global Technology Operations, Inc. Supply chain facility performance analyzer
US20080193514A1 (en) * 2006-11-02 2008-08-14 Transcu Ltd. Compostions and methods for iontophoresis delivery of active ingredients through hair follicles
US7883003B2 (en) 2006-11-13 2011-02-08 Proxense, Llc Tracking system using personal digital key groups
US9269221B2 (en) 2006-11-13 2016-02-23 John J. Gobbi Configuration of interfaces for a location detection system and application
US8027993B2 (en) * 2006-12-28 2011-09-27 Teradota Us, Inc. Techniques for establishing and enforcing row level database security
US8659427B2 (en) 2007-11-09 2014-02-25 Proxense, Llc Proximity-sensor supporting multiple application services
US8171528B1 (en) 2007-12-06 2012-05-01 Proxense, Llc Hybrid device having a personal digital key and receiver-decoder circuit and methods of use
US9251332B2 (en) 2007-12-19 2016-02-02 Proxense, Llc Security system and method for controlling access to computing resources
US8508336B2 (en) 2008-02-14 2013-08-13 Proxense, Llc Proximity-based healthcare management system with automatic access to private information
US20090220089A1 (en) * 2008-02-28 2009-09-03 International Business Machines Corporation Method and apparatus for mapping encrypted and decrypted data via a multiple key management system
WO2009126732A2 (en) 2008-04-08 2009-10-15 Proxense, Llc Automated service-based order processing
US8909916B2 (en) * 2009-11-30 2014-12-09 Red Hat, Inc. Using a PKCS module for opening multiple databases
US9418205B2 (en) 2010-03-15 2016-08-16 Proxense, Llc Proximity-based system for automatic application or data access and item tracking
US9322974B1 (en) 2010-07-15 2016-04-26 Proxense, Llc. Proximity-based system for object tracking
US8857716B1 (en) 2011-02-21 2014-10-14 Proxense, Llc Implementation of a proximity-based system for object tracking and automatic application initialization
US9405898B2 (en) 2013-05-10 2016-08-02 Proxense, Llc Secure element as a digital pocket

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5737419A (en) * 1994-11-09 1998-04-07 Bell Atlantic Network Services, Inc. Computer system for securing communications using split private key asymmetric cryptography
US5924094A (en) * 1996-11-01 1999-07-13 Current Network Technologies Corporation Independent distributed database system
US6185685B1 (en) * 1997-12-11 2001-02-06 International Business Machines Corporation Security method and system for persistent storage and communications on computer network systems and computer network systems employing the same

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5535276A (en) * 1994-11-09 1996-07-09 Bell Atlantic Network Services, Inc. Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography
IL113259A (en) * 1995-04-05 2001-03-19 Diversinet Corp Apparatus and method for safe communication handshake and data transfer
US5727156A (en) * 1996-04-10 1998-03-10 Hotoffice Technologies, Inc. Internet-based automatic publishing system
US5920630A (en) * 1997-02-25 1999-07-06 United States Of America Method of public key cryptography that includes key escrow
US5991399A (en) * 1997-12-18 1999-11-23 Intel Corporation Method for securely distributing a conditional use private key to a trusted entity on a remote system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5737419A (en) * 1994-11-09 1998-04-07 Bell Atlantic Network Services, Inc. Computer system for securing communications using split private key asymmetric cryptography
US5924094A (en) * 1996-11-01 1999-07-13 Current Network Technologies Corporation Independent distributed database system
US6185685B1 (en) * 1997-12-11 2001-02-06 International Business Machines Corporation Security method and system for persistent storage and communications on computer network systems and computer network systems employing the same

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7203834B1 (en) * 1999-12-02 2007-04-10 International Business Machines Corporation Method of updating encryption keys in a data communication system
US7418098B1 (en) * 2000-11-27 2008-08-26 Protegrity Corporation Data type preserving encryption
US7603703B2 (en) * 2001-04-12 2009-10-13 International Business Machines Corporation Method and system for controlled distribution of application code and content data within a computer network
US7650491B2 (en) 2001-04-12 2010-01-19 International Business Machines Corporation Method and system for controlled distribution of application code and content data within a computer network
US20020150243A1 (en) * 2001-04-12 2002-10-17 International Business Machines Corporation Method and system for controlled distribution of application code and content data within a computer network
US20090083542A1 (en) * 2001-04-12 2009-03-26 David John Craft Method and system for controlled distribution of application code and content data within a computer network
US20070083928A1 (en) * 2001-11-23 2007-04-12 Ulf Mattsson Data security and intrusion detection
US7594266B2 (en) 2001-11-23 2009-09-22 Protegrity Corporation Data security and intrusion detection
US20040193882A1 (en) * 2003-03-26 2004-09-30 Authenticatid Corp. System, method and computer program product for authenticating a client
US8224887B2 (en) 2003-03-26 2012-07-17 Authenticatid, Llc System, method and computer program product for authenticating a client
US20040255133A1 (en) * 2003-06-11 2004-12-16 Lei Chon Hei Method and apparatus for encrypting database columns
US10339336B2 (en) * 2003-06-11 2019-07-02 Oracle International Corporation Method and apparatus for encrypting database columns
US20080033960A1 (en) * 2004-09-03 2008-02-07 Sybase, Inc. Database System Providing Encrypted Column Support for Applications
US7797342B2 (en) 2004-09-03 2010-09-14 Sybase, Inc. Database system providing encrypted column support for applications
US20060053112A1 (en) * 2004-09-03 2006-03-09 Sybase, Inc. Database System Providing SQL Extensions for Automated Encryption and Decryption of Column Data
US7743069B2 (en) 2004-09-03 2010-06-22 Sybase, Inc. Database system providing SQL extensions for automated encryption and decryption of column data
US20100095118A1 (en) * 2006-10-12 2010-04-15 Rsa Security Inc. Cryptographic key management system facilitating secure access of data portions to corresponding groups of users
WO2008121157A3 (en) * 2006-10-12 2009-01-22 Rsa Security Inc Cryptographic key management system facilitating secure access of data portions to corresponding groups of users
WO2008121157A2 (en) * 2006-10-12 2008-10-09 Rsa Security Inc. Cryptographic key management system facilitating secure access of data portions to corresponding groups of users
US20100290623A1 (en) * 2007-08-17 2010-11-18 Sybase, Inc. Protection of encryption keys in a database
US9158933B2 (en) 2007-08-17 2015-10-13 Sybase, Inc. Protection of encryption keys in a database
US8769272B2 (en) 2008-04-02 2014-07-01 Protegrity Corporation Differential encryption utilizing trust modes
US20140090085A1 (en) * 2012-09-26 2014-03-27 Protegrity Corporation Database access control
US9087209B2 (en) * 2012-09-26 2015-07-21 Protegrity Corporation Database access control
US10127389B1 (en) * 2015-03-30 2018-11-13 Amazon Technologies, Inc. Performing operations on intelligent storage with hardened interfaces
US20190080099A1 (en) * 2015-03-30 2019-03-14 Amazon Technologies, Inc. Performing operations on intelligent storage with hardened interfaces
US10503917B2 (en) * 2015-03-30 2019-12-10 Amazon Technologies, Inc. Performing operations on intelligent storage with hardened interfaces
CN107563220A (en) * 2017-08-29 2018-01-09 湖南财政经济学院 A kind of computer based big data analysis and Control system and control method

Also Published As

Publication number Publication date
US6336121B1 (en) 2002-01-01

Similar Documents

Publication Publication Date Title
US6327595B1 (en) Apparatus for securing and accessing data elements within a database
US7792300B1 (en) Method and apparatus for re-encrypting data in a transaction-based secure storage system
CA2287871C (en) Secure document management system
US5991406A (en) System and method for data recovery
CA2253539C (en) A method for providing a secure non-reusable one-time password
CN103561034B (en) A kind of secure file shared system
US7320076B2 (en) Method and apparatus for a transaction-based secure storage file system
EP0976049B1 (en) Method and apparatus for controlling access to encrypted data files in a computer system
JP3130267B2 (en) How to create a cryptographic envelope
US6160891A (en) Methods and apparatus for recovering keys
US6549626B1 (en) Method and apparatus for encoding keys
EP1914951B1 (en) Methods and system for storing and retrieving identity mapping information
US20120324225A1 (en) Certificate-based mutual authentication for data security
CN105122265B (en) Data safety service system
EP0844550A2 (en) Method and system of using personal information as a key when distributing information
JPH06175905A (en) Ciphered file sharing method
US20090240956A1 (en) Transparent encryption using secure encryption device
GB2136175A (en) File access security method and means
MXPA04001292A (en) Publishing digital content within a defined universe such as an organization in accordance with a digital rights management (drm) system.
US20060288210A1 (en) System of personal data spaces and a method of governing access to personal data spaces
JP2003526032A (en) Key and lock device
US20020147917A1 (en) Distribution of secured information
WO2000079368A1 (en) Software smart card
CA2251193A1 (en) Method and apparatus for encoding and recovering keys
Vignesh et al. Secured Data Access and Control Abilities Management over Cloud Environment using Novel Cryptographic Principles

Legal Events

Date Code Title Description
STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: WELLS FARGO FOOTHILL, LLC, CALIFORNIA

Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:HAC HOLDINGS, INC.;HAC ACQUISITION CORPORATION;ENTRUST, INC.;AND OTHERS;REEL/FRAME:023015/0782

Effective date: 20090728

Owner name: WELLS FARGO FOOTHILL, LLC,CALIFORNIA

Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:HAC HOLDINGS, INC.;HAC ACQUISITION CORPORATION;ENTRUST, INC.;AND OTHERS;REEL/FRAME:023015/0782

Effective date: 20090728

FPAY Fee payment

Year of fee payment: 12

AS Assignment

Owner name: ENTRUST INC., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LYSON, PATRICK A.;VANDERGEEST, RON J.;SIGNING DATES FROM 19980309 TO 19980310;REEL/FRAME:031337/0172

AS Assignment

Owner name: ORION SECURITY SOLUTIONS, INC., VIRGINIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:GOLUB CAPITAL LLC;REEL/FRAME:032086/0638

Effective date: 20131231

Owner name: ENTRUST, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:GOLUB CAPITAL LLC;REEL/FRAME:032086/0638

Effective date: 20131231

Owner name: ENTRUST HOLDINGS, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:GOLUB CAPITAL LLC;REEL/FRAME:032086/0638

Effective date: 20131231

AS Assignment

Owner name: ENTRUST HOLDINGS, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:WELLS FARGO CAPITAL FINANCE, LLC;REEL/FRAME:032089/0151

Effective date: 20131231

Owner name: ORION SECURITY SOLUTIONS, INC., VIRGINIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:WELLS FARGO CAPITAL FINANCE, LLC;REEL/FRAME:032089/0151

Effective date: 20131231

Owner name: ENTRUST, INC., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:WELLS FARGO CAPITAL FINANCE, LLC;REEL/FRAME:032089/0151

Effective date: 20131231

AS Assignment

Owner name: BMO HARRIS BANK N.A., AS AGENT, ILLINOIS

Free format text: SECURITY AGREEMENT;ASSIGNOR:ENTRUST, INC.;REEL/FRAME:045945/0602

Effective date: 20180413

AS Assignment

Owner name: ENTRUST CORPORATION, MINNESOTA

Free format text: MERGER;ASSIGNOR:ENTRUST, INC.;REEL/FRAME:066806/0175

Effective date: 20220329